1. Field of the Invention
The invention relates to security on public networks such as the Internet and more generally on any network when using personal tokens such as smart cards for authentication of users.
Many protocols have been proposed for authenticating a user holding a smart card in a network.
2. Description of the Related Art
Current SSL (Secure Sockets Layer) strong authentication is based on smartcard and certificates and is routinely used for authentication, without need for contacting a certificate authority that signed the certificate of the smart card.
One problem however arises in such scheme because of such unneeded contact with a certificate authority.
Indeed the smart card issuer appears to be never asked for consent before a service provider performs authentication of the smart card. In other words, the authentication process by way of a smart card is a benefit to any service provider, including any service provider who has no commercial agreement with the smart card issuer. A smart card therefore becomes a commonly benefiting authenticating tool for any entity, including competitors of the smart card issuer.
It is the case with standard SSL using Public Key Infrastructure (PKI) cryptography. Any server can request the client to authenticate itself using smart card PKI, while the smart card contains a private key and the associated certificate and any server can receive the user certificate and thereby check the validity of the user signature.